CS Document 6769-v1
A fully unprivileged CernVM-FS
- Document #:
- CS-doc-6769-v1
- Document type:
- Conference
- Submitted by:
- Dave Dykstra
- Updated by:
- Dave Dykstra
- Document Created:
- 16 May 2019, 14:12
- Contents Revised:
- 05 Nov 2019, 09:33
- Metadata Revised:
- 05 Nov 2019, 09:33
Viewable by:
- Public document
Modifiable by:
Quick Links:
Latest Version
| CS-doc-6769-v0
16 May 2019, 14:12 |
- Abstract:
- The CernVM File System provides the software and container distribution backbone for most High Energy and Nuclear Physics experiments. It is implemented as a file system in user-space (fuse) module, which permits its execution without any elevated privileges. Yet, mounting the file system in the first place is handled by a privileged suid helper program that is installed by the fuse package on most systems. The privileged nature of the mount system call is a serious hindrance to running CernVM-FS on opportunistic resource and supercomputers. Fortunately, recent developments in the Linux kernel and in the fuse user-space libraries enabled fully unprivileged mounting for fuse file systems (as of RHEL 8), or at least outsourcing the privileged mount system call to a custom, external process. This opens the door to several, very appealing new ways to use CernVM-FS, such as a generally usable "super pilot" consisting of the pilot code bundled with Singularity and CernVM-FS, or the on-demand instantiation of unprivileged, ephemeral containers to publish new CernVM-FS content from anywhere. In this contribution, we discuss the integration of these new Linux features with CernVM-FS and show some of its most promising, new applications.
- Files in Document:
-
- Poster (cvmfs-chep19.pdf, 4.0 MB)
- Topics:
- Associated with Events:
- CHEP 2019 held on 04 Nov 2019 in Adelaide, Australia
